File name:

2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm

Full analysis: https://app.any.run/tasks/a540207d-0d0c-49fd-aeec-3387a6f87697
Verdict: Malicious activity
Analysis date: June 21, 2025, 12:12:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xor-url
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

17E0AEF0A7242913B982549A1456DFAD

SHA1:

BC0A7B1623D009F2ACB57815DF0DB868820ED3A2

SHA256:

CC98F33650E08BB1AD1B8771F24404FD57D28D65CFC3842A44B9D18B593F4111

SSDEEP:

98304:QP6yuFuU+uhEU+CDIvopxJopx8ao+zCUYS8YVUYSxywkjjVApdShIkegt+eobwE8:k3gPBYySbzzdr0iV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)
      • net.exe (PID: 6852)
      • net.exe (PID: 6636)
      • net.exe (PID: 4120)
      • net.exe (PID: 3608)
      • net.exe (PID: 2368)
      • net.exe (PID: 5556)
      • net.exe (PID: 2388)
      • net.exe (PID: 3196)
      • net.exe (PID: 5124)
      • net.exe (PID: 5772)
      • net.exe (PID: 1604)

    • Uses NET.EXE to stop Windows Security Center service

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)
      • net.exe (PID: 2368)
      • net.exe (PID: 3608)

    • Uses NET.EXE to stop Windows Update service

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)
      • net.exe (PID: 4120)
      • net.exe (PID: 1604)

    • XORed URL has been found (YARA)

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

    • Executable content was dropped or overwritten

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

    • Executing commands from a ".bat" file

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6516)
      • sc.exe (PID: 6264)
      • sc.exe (PID: 6584)
      • sc.exe (PID: 2620)

    • Uses REG/REGEDIT.EXE to modify registry

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

    • Creates file in the systems drive root

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

  • INFO

    • The sample compiled with chinese language support

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

    • Failed to create an executable file in Windows directory

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

    • Creates files or folders in the user directory

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

    • Checks supported languages

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

    • Create files in a temporary directory

      • 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe (PID: 3488)

    • Checks proxy server information

      • slui.exe (PID: 2280)

    • Reads the software policy settings

      • slui.exe (PID: 2280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (71.2)
.exe | Win32 Executable Microsoft Visual Basic 6 (6.9)
.exe | InstallShield setup (3.6)
.exe | Win32 Executable MS Visual C++ (generic) (2.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:11:23 02:19:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 147456
InitializedDataSize: 69632
UninitializedDataSize: -
EntryPoint: 0x2bd4
OSVersion: 4
ImageVersion: 6.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.1.0.0
ProductVersionNumber: 6.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: Windows Update Manager for NT
CompanyName: UMBERLLA
FileDescription: G.3
LegalCopyright: Copyright (C) Microsoft Corp. 1981-1999
ProductName: Microsoft(R) Windows (R) 2000 Operating System
FileVersion: 6.01
ProductVersion: 6.01
InternalName: INCUBUS
OriginalFileName: INCUBUS.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
189
Monitored processes
56
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
start #XOR-URL 2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe net.exe no specs conhost.exe no specs net1.exe no specs at.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net.exe no specs net.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs regedit.exe no specs reg.exe no specs reg.exe no specs at.exe no specs conhost.exe no specs net1.exe no specs conhost.exe no specs net1.exe no specs net1.exe no specs at.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1352\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1380C:\WINDOWS\system32\net1 stop srservice /yC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1508C:\WINDOWS\system32\net1 stop srservice /yC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1604net.exe stop wuauserv /yC:\Windows\SysWOW64\net.exe2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1712C:\WINDOWS\system32\net1 stop 360timeprot /yC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1936\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1964C:\WINDOWS\system32\net1 stop wscsvc /yC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1984\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2276C:\WINDOWS\system32\net1 stop wscsvc /yC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
Total events
4 158
Read events
4 158
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
34882025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exeC:\Users\admin\AppData\Local\VirtualStore\ntldr~8executable
MD5:17E0AEF0A7242913B982549A1456DFAD
SHA256:CC98F33650E08BB1AD1B8771F24404FD57D28D65CFC3842A44B9D18B593F4111
34882025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exeC:\Users\admin\AppData\Local\VirtualStore\ntldr~6executable
MD5:17E0AEF0A7242913B982549A1456DFAD
SHA256:CC98F33650E08BB1AD1B8771F24404FD57D28D65CFC3842A44B9D18B593F4111
34882025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\Folderdirexecutable
MD5:CD6AE53CEC41CDFB70AE6613441D216E
SHA256:75E9B8A00DFFCB7292799CCCE3EC6C4F93B68C76D6053188644481BDC8FB3A2A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
45
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4844
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4844
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4844
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
  • 184.25.50.8
  • 184.25.50.10
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.3
  • 40.126.32.138
  • 40.126.32.134
  • 20.190.160.132
  • 20.190.160.130
  • 20.190.160.2
  • 20.190.160.128
  • 20.190.160.17
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_17e0aef0a7242913b982549a1456dfad_amadey_black-basta_cloudeye_darkgate_elex_hijackloader_lamer_rhadamanthys_sm